As we close in on the final stages of dry-anuary, we are taking the opportunity to make some reasoned predictions for 2016 in the world of cyber insurance, data breaches and privacy liability.
2016 may well be the year that the UK finally "gets" what cyber insurance is about. Major breaches, significant publicity surrounding cyber risks and Government support in 2015 all added to this wider understanding.
We predict that published data breaches in the private sector will increase this year. We have noticed a heightened awareness amongst our clients of not only the ICO's guidance in notifying serious breaches but also a sense of corporate responsibility to do the right thing. Of course, the General Data Protection Regulation, whilst in near final form, will take at least another two years to come into effect, most prudent organisations appreciate that they need to start their GDPR compliance programme now rather than wait until the regulation comes into force.
Privacy liabilities and claims for compensation are also set to increase on the back of Vidal Hall v Google. Notwithstanding that the case has been appealed and is due to be heard in the Supreme Court in October later this year, another recent case awarded significant privacy damages. On 17 December 2015, the Court of Appeal in Representative Claimants v MGN  EWHC 1482 (Ch), upheld damage awards of between £72,500 and £260,250 per victim. These awards were based on breach of the tort of the misuse of private information, and so are unrelated and unaffected by the data protection law point on appeal in Vidal Hall v Google. However, significant privacy breach damages are here to stay, which will only add to the already increasing trend of Data Protection Act breach claims. Of course, this is a matter not only for cyber insurers, but insurers of all liability classes.
We predict 2016 will also be a big year for cyber business interruption incidents. Only in the last month have we seen outages on the Steam, Minecraft and Playstation gaming networks after a hackers attacked servers on Christmas Day, preventing gamers from enjoying their new toys. On 23 December, a highly organised (and allegedly state sponsored) attack on the Ukrainian Power Grid cut power to more than 80,000 people. The attackers infected the computer systems with malware, paralysing the company, and disconnected breakers, meaning that workers had to travel to substations and manually change the settings to restore power. In addition, they sabotaged the control systems to give the impression that power remained flowing, and, in a telephone denial-of-service attack, flooded the customer service call-centre to prevent real customers from reporting the outage. Finally, whilst not a cyber-attack, the Oyster card system failure caused by an upgrade to London tube fares after the Christmas break meant thousands of people travelled for free, with TFL sustaining financial losses.
Topics for debate throughout 2016 will include the evolution and increasing occurrence of cyber crime and whether this should fall to cyber insurers simply by virtue of use of the term "cyber". Unfortunately, customers often believe that their existing policies ought to cover fidelity losses caused by cyber-crime. The confusion is heightened by news reports mistakenly claiming that "cyber insurers" refuse to pay out, when in fact insureds are seeking to crowbar a cyber loss into a non-cyber policy. This was highlighted in a recent case in the US in which a Texas manufacturing company is suing its commercial crime insurers for refusing to cover a loss caused by a phishing scam in which the chief executive of the company was impersonated and the director of accounting duped into sending $480,000 to an imposter's account. Suspicions were only aroused when the scammer, pushing his luck, requested a second payment of $18,000,000. The claim was denied by the commercial crime insurers as it did not involve the forgery of a financial instrument, as required by the policy. Perhaps the key question here is where should these increasingly frequent modern day crimes fall for coverage, and should this be an area of inclusion for cyber underwriters?
The debate over property damage caused by cyber events and into which sector of insurance it should fall, will also remain debated. Given the increasing propensity for cyber war and cyber terrorism (as reported in last month's newsletter), we foresee further industry advocates in favour of a Government backed cyber terrorism pool.